FUZZING That Leads to Internal Source Code!

So, I’d been feeling pretty rough lately, health-wise. It felt like my life had turned into a constant loop of doctor visits and checkups, none of which seemed to do much good. One day, while I was sitting around waiting for yet another appointment, my phone buzzed with a message on Telegram. It was from an college friend who’d sent a stack of screenshots and two files, claiming he’d hit something interesting using a fuzzing technique I’d shared with him.

Five days had passed since he messaged, but I hadn’t checked it until now. Bored and in need of a distraction, I decided to finally take a look. Using Termux (a Linux emulator on Android), I downloaded the files with `wget https://secret.supersecret.com/lectures.tar` and unpacked them with `tar -xvf lectures.tar`. (What can I say, `tar -xvf` just has that cool hacker feel.)

Once I unpacked the files, I found myself staring at over 7800 directories, many with the same files and names. I felt a bit let down, thinking this would just be one of those boring finds that might earn a P4 at best, and maybe even a P5 if I reported it. But hey, curiosity got the better of me, so I ran `tree` in the terminal just to see if anything would jump out. The output flooded my screen with file names but nothing interesting yet.

I then decided to try something different and ran `tree | grep -iR ‘video_play.php’`. This time, I spotted some unique files: `not_phpinfo.php`, `check.php`, `connections.php`. Now I was intrigued. Without wasting any more time, I jumped over to Bugcrowd and submitted the report.

After a couple of days, Bugcrowd marked my report as P3. It made sense — the files weren’t overly sensitive, and they were hosted on AWS, which meant exploiting them wouldn’t be straightforward. But then, one file suddenly came back to mind: `check_db.php`. I hadn’t opened it before, but now I felt an itch to check it out.

So I fired up WSL (Windows Subsystem for Linux) on my computer and opened the file. I scrolled through hundreds of lines until my eyes caught something interesting: `db_connection = db(*****, *****, *****, ****)`. Right there in plain text was the MySQL database username, password, and other details — a jackpot of information.

Just as I was about to dive deeper, my health took a nose dive again, landing me in the hospital. By the time I got back home, Bugcrowd had already closed the issue and awarded some points to me and my friend for the discovery. I was happy, but I couldn’t shake the thought: if only I’d dug a bit further and exploited the database access, this might have been a P1!

Sometimes, life doesn’t go exactly as planned, but I believe things happen for a reason. Until next time, stay curious and keep hunting! If you’re interested in my adventures, you can check out my Twitter here.

References
- Termux
- Windows Subsystem for Linux
- Bugcrowd
- Amazon Web Services

Thanks for reading! Stay tuned for the next adventure.